United States · HIPAA Privacy Rule

Run HIPAA access, amendment, and breach notices in one platform

For public-sector covered entities — public hospitals, county and state health departments, and Medicaid agencies — AccessPoint manages the individual right of access to protected health information, amendment requests, and breach notification, inside your own Microsoft 365 tenant.

United States — HIPAA at a glance

Access deadline
30 calendar days, with one 30-day extension (45 CFR 164.524)
Access fee
A reasonable, cost-based fee only
Amendment deadline
60 days to act, with one 30-day extension (45 CFR 164.526)
Breach notification
Without unreasonable delay, no later than 60 calendar days (45 CFR 164.404)
Oversight
HHS Office for Civil Rights (civil money penalties)
Languages
English

Built for United States — HIPAA

One platform for the whole access-and-privacy mandate, pre-configured for this regime and running in your own Microsoft 365 tenant.

Right-of-access requests

Run an individual's access to their PHI on the 30-day clock, with the single 30-day extension, the requested form and format where readily producible, and a reasonable cost-based fee, all built on Microsoft 365.

Amendment requests

Manage 164.526 amendment requests end to end — the 60-day clock, the grounds for denial, the individual's statement of disagreement, and the entity's rebuttal, all recorded.

Breach notification

Log a breach of unsecured PHI, run the risk assessment, and get a live checklist of who must be notified — affected individuals, the HHS Secretary, and the media — and by when.

Designated record set and minimum necessary

Scope each request to the designated record set and apply minimum-necessary handling, with every access and disclosure logged.

Built for OCR scrutiny

Access is one of OCR's most-enforced provisions — every request carries a timestamped trail and a defensible record if a complaint is filed.

In your own tenant

Protected health information stays inside your own Microsoft 365 and Azure tenant — no third-party cloud, no vendor access to PHI, no cross-border transfers.

The Right of Access Initiative

OCR made the right of access an enforcement priority. Miss the 30-day clock and it's a finding.

The individual right of access under 45 CFR 164.524 is one of the most actively enforced provisions in HIPAA. Since 2019 the HHS Office for Civil Rights has resolved dozens of cases under its Right of Access Initiative — most turning on a covered entity that took too long, charged too much, or never produced the record. The rule is specific: act within 30 days, take at most one 30-day extension, provide the copy in the form and format the individual asked for where readily producible, and charge only a reasonable, cost-based fee. AccessPoint runs each access request on that clock, with the fee basis, the delivery format, and the full trail an OCR investigator would expect — so a routine request never becomes a settlement.

The 30-day clock One extension, tracked — not an open-ended queue.
Cost-based fees only A defensible, itemized fee on every access request.
OCR-ready record A timestamped trail built for a complaint investigation.

Configured out of the box

Installing the us-hipaa configuration pack seeds your tenant with everything this regime needs — a starting point you can adjust, not a lock-in.

Related guide: FOI Workflow Quick Check
  • The HIPAA Privacy Rule access (164.524) and amendment (164.526) rights as the workflow spine
  • The 30-day access clock with the single 30-day extension and calendar-day math
  • Designated-record-set scoping and minimum-necessary handling
  • Reasonable cost-based fee calculation and itemization
  • Section 164.526 amendment grounds, denials, and statement-of-disagreement handling
  • The Breach Notification Rule (164.400–414) risk assessment and notification checklists
  • Individual, HHS Secretary, and media notification templates with their deadlines
  • A timestamped audit trail built for OCR investigations

United States — HIPAA Questions

Who is this HIPAA configuration for?

Public-sector covered entities — public hospitals, county and state health departments, Medicaid agencies, and public university health services — handling individuals' requests to access and amend their own protected health information. It is not a public records or FOI tool; it runs the HIPAA Privacy Rule rights and the Breach Notification Rule.

How long do we have to respond to a right-of-access request?

No later than 30 calendar days after receipt, with one 30-day extension on written notice to the individual (45 CFR 164.524). You may charge only a reasonable, cost-based fee. AccessPoint tracks the clock, the extension, the requested format, and the fee basis on every request.

Does it handle amendment requests and breach notification?

Yes. AccessPoint runs 164.526 amendments — the 60-day clock, the single 30-day extension, the grounds for denial, and the individual's statement of disagreement — and the Breach Notification Rule (164.400–414), including the 60-day individual-notice deadline and reporting to the HHS Secretary.

Where does protected health information reside?

Entirely within your own Microsoft 365 and Azure tenant. PHI, requests, and audit history never leave your control — no third-party cloud, no vendor access, and no cross-border data transfers.

Run HIPAA Access, Amendment, and Breach in One Platform

Try AccessPoint free for 30 days, configured for HIPAA covered entities. No credit card required.

Start Free Trial